Why Security Teams Need More Than a Mirror Port
Most security incidents start as packets on a wire. Intrusion detection systems, network forensics platforms, DDoS mitigation appliances, and SIEM collectors all depend on seeing actual traffic. But the way that traffic reaches those tools is not always obvious, and the wrong choice at the visibility layer can blind your security stack at the worst possible moment.
Two devices sit at the centre of this decision: the network TAP (Test Access Point) and the packet broker. They solve related but different problems, and many Australian enterprises discover too late that they only deployed one when they need both.
This article explains what each device does, where it fits in a security monitoring architecture, and how to decide between them based on your port density, tool count, and traffic volume.
What Is a Network TAP?
A network TAP is a simple hardware device that sits inline between two network points, such as a firewall and a core switch, or two routers in a data centre spine-leaf fabric. Its job is to create an exact copy of every packet flowing through the link without altering, delaying, or dropping production traffic.
How TAPs Work
TAPs operate at Layer 1 (physical layer) of the OSI model. A passive optical TAP, for example, splits the light signal on a fibre link and sends one copy to the production path and another to a monitoring port. Active copper TAPs regenerate the electrical signal on both sides. In both cases, the production link remains up even if the monitoring side loses power or the connected tool goes offline.
This is the key safety property of a TAP: it is a zero-impact device. It does not store packets, it does not buffer, and it does not introduce latency. If you need to guarantee that your monitoring infrastructure cannot affect production traffic, a TAP is the only device that provides that guarantee by design.
Types of Network TAPs
- Passive fibre TAPs: split light without power; suitable for single-mode or multi-mode optical links.
- Active copper TAPs: regenerate signal on copper Ethernet links; require power but add negligible latency.
- Aggregating TAPs: combine traffic from both directions of a full-duplex link onto a single output port.
- Regeneration (breakout) TAPs: create multiple copies of the same traffic for delivery to several tools simultaneously.
TAP Limitations
A TAP mirrors everything. On a 10 Gbps link, the TAP produces a full 10 Gbps copy in each direction. If your security tool can only accept 2 Gbps, you have a problem. TAPs also cannot filter traffic, deduplicate packets, strip headers, slice packets to reduce size, or load-balance across multiple tool ports. They are a fixed-pipe device: one link in, traffic copies out.
For a single link feeding a single tool, that limitation may be acceptable. For a production network with dozens of links and multiple security tools, TAPs alone create a scaling bottleneck.
What Is a Packet Broker?
A network packet broker (NPB) is an intelligent traffic-processing device that sits between your TAPs (or SPAN ports) and your monitoring tools. It receives copies of network traffic from multiple sources, then applies processing logic to filter, aggregate, deduplicate, load-balance, and deliver the right traffic to the right tool.
Think of it this way: TAPs are the eyes. Packet brokers are the brain that decides which tool sees what.
Core Packet Broker Capabilities
- Traffic aggregation: combine traffic from multiple TAPs or SPAN ports onto a single output.
- Traffic filtering: forward only relevant flows (e.g., by VLAN, source IP, destination port, or protocol) to each tool.
- Packet deduplication: remove duplicate copies of the same packet that arrive from multiple TAP paths.
- Packet slicing: truncate packets after the header to reduce bandwidth while preserving flow metadata.
- Load balancing: distribute traffic across a cluster of tools so no single device is overwhelmed.
- Header stripping: remove outer VLAN, VXLAN, GRE, or MPLS headers before delivering to tools that cannot decode them.
- Timestamping: add nanosecond-precision timestamps for forensic and compliance use.
- Tunnel processing: decapsulate or encapsulate traffic flowing through GRE, VXLAN, or ERSPAN tunnels.
These capabilities transform raw packet copies into structured, tool-ready data streams. Without them, security tools either receive too much traffic (and drop packets internally) or miss relevant flows because no filtering exists upstream.
Where Packet Brokers Sit in the Architecture
In a typical deployment, the packet broker sits in a dedicated visibility tier between the network infrastructure and the security/monitoring tool stack. TAPs feed traffic into the packet broker from access, distribution, and core layers. The packet broker then distributes processed traffic to tools such as:
- Intrusion detection systems (IDS)
- Intrusion prevention systems (IPS)
- Network forensics recorders
- Data loss prevention (DLP) engines
- Application performance monitoring (APM)
- SIEM collectors
- Compliance and packet-capture appliances
This architecture lets you add or remove tools without touching the production network. It also lets you scale from a handful of links to hundreds without deploying additional TAPs for every new tool.
Packet Broker vs Network TAP: Decision Comparison
The table below summarises the key differences for security visibility use cases.
| Criterion | Network TAP | Packet Broker |
|---|---|---|
| Primary function | Copy traffic from a link | Process and distribute traffic to tools |
| OSI layer | Layer 1 (physical) | Layer 2-7 (data link through application) |
| Traffic filtering | No | Yes, by header fields, VLAN, IP, port, protocol |
| Aggregation | Single-link only (aggregating TAPs merge one duplex link) | Multi-source aggregation across many TAPs and SPAN ports |
| Deduplication | No | Yes |
| Packet slicing | No | Yes |
| Load balancing across tools | No | Yes |
| Tunnel decapsulation | No | Yes (GRE, VXLAN, ERSPAN, MPLS) |
| Impact on production traffic | Zero by design | Zero when properly deployed (out-of-band) |
| Tool count scaling | 1:1 or 1:few (regeneration TAP) | N:M (many sources to many tools) |
| Latency added | Near zero | Sub-microsecond to low microseconds (vendor-dependent) |
| Typical use case | Single-link capture, compliance tap points | Multi-tool, multi-link enterprise or data centre visibility |
| Cost range (indicative) | Low per link | Higher upfront; lower per-tool cost at scale |
When to Use a TAP, a Packet Broker, or Both
Use a TAP alone when:
- You have a small number of links (fewer than 5-10) that need monitoring.
- Each link feeds a single dedicated tool.
- You need a guaranteed zero-impact copy for compliance or forensic capture on a specific circuit.
- Budget is constrained and traffic volumes are low.
Use a packet broker when:
- You have multiple monitoring tools that need overlapping but not identical visibility.
- You need to aggregate traffic from many links into a smaller number of high-capacity tools.
- Your network uses VXLAN, GRE, or MPLS tunnels that tools cannot natively decode.
- You need deduplication or packet slicing to fit within tool bandwidth limits.
- You want to add or remove tools without recabling or reconfiguring the production network.
Use both together (recommended for most enterprises):
In practice, TAPs and packet brokers are complementary, not competing. TAPs provide the safe, zero-impact traffic copy from the production network. Packet brokers process and distribute that traffic to the tool layer. The combined architecture gives you:
- Production safety: TAPs guarantee no monitoring-induced downtime.
- Tool efficiency: packet brokers ensure each tool receives only the traffic it needs, at the bandwidth it can handle.
- Scalability: adding a new security tool requires a configuration change on the packet broker, not new cabling to every network link.
- Flexibility: you can reassign traffic flows between tools as your security stack evolves.
Deployment Considerations for Australian Enterprises
Australian organisations face specific network visibility challenges that make the TAP-plus-broker architecture worth considering:
- Data sovereignty: the Privacy Act 1988 and the Australian Privacy Principles require organisations to know what data traverses their network and to protect personal information. A packet broker with filtering and masking capabilities helps limit what data reaches security tools, reducing compliance exposure.
- Distributed sites: many Australian enterprises operate across multiple states with WAN links between offices, data centres, and cloud on-ramps. TAPs at each site can feed a centralised or regional packet broker, giving SOC teams consolidated visibility without deploying a full monitoring stack at every location.
- Cloud and hybrid environments: packet brokers that support VXLAN and GRE decapsulation can extend on-prem visibility into overlay tunnels carrying traffic to and from hyperscaler environments.
Common Mistakes to Avoid
Relying on SPAN/mirror ports alone. SPAN ports share resources with the production switch ASIC. Under load, switches may drop mirrored traffic, silently degrading your security visibility. TAPs do not have this limitation.
Deploying TAPs without a packet broker. If you have more than a few TAPs and more than one or two security tools, managing point-to-point connections becomes a cabling and configuration nightmare. A packet broker centralises this.
Ignoring tunnel overhead. If your network uses VXLAN or GRE, your security tools may see encapsulated packets they cannot parse. A packet broker with tunnel processing can strip or decapsulate outer headers before delivery.
Forgetting about east-west traffic. Most enterprises focus TAPs on north-south (perimeter) links. Internal east-west traffic, especially in data centre and AI fabric environments, is increasingly important for lateral movement detection. TAPs on intra-fabric links feeding a packet broker give SOC teams east-west visibility.
Summary: TAPs Capture, Packet Brokers Curate
A network TAP captures an exact copy of traffic from a link with zero production impact. A packet broker takes those copies from many links and curates them into the right streams for the right tools. For security visibility at scale, you need both.
If you are evaluating network visibility infrastructure for your data centre, campus, or branch network, xSONIC offers packet broker platforms designed for high-throughput, multi-tool environments. Explore the xSONIC Packet Broker product range or contact the xSONIC team to discuss your visibility architecture requirements.
Related xSONiC Resources
Sources Reviewed
- What is a packet ? | Network packet definition - Cloudflare: https://www.cloudflare.com/learning/network-layer/what-is-a-packet
- Supports: input source for finding, recommendation, claim, and evidence review.
- Network packet - Wikipedia: https://en.wikipedia.org/wiki/Network_packet
- Supports: input source for finding, recommendation, claim, and evidence review.
- What are Network Packets and How Do They Work? - TechTarget: https://www.techtarget.com/searchnetworking/definition/packet
- Supports: input source for finding, recommendation, claim, and evidence review.
- Cisco Packet Tracer: https://packet-tracer.emuapps.com/
- Supports: input source for finding, recommendation, claim, and evidence review.
- What is Cisco Packet Tracer? | Free Training and Download: https://www.netacad.com/cisco-packet-tracer
- Supports: input source for finding, recommendation, claim, and evidence review.
- TCP/IP Packet Format - GeeksforGeeks: https://www.geeksforgeeks.org/computer-networks/tcp-ip-packet-format
- Supports: input source for finding, recommendation, claim, and evidence review.